DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier.

Slides:



Advertisements
Similar presentations
Smart Certificates: Extending X.509 for Secure Attribute Service on the Web October 1999 Joon S. Park, Ph.D. Center for Computer High Assurance Systems.
Advertisements

An Alternative to Short Lived Certificates By Vipul Goyal Department of Computer Science & Engineering Institute of Technology Banaras Hindu University.
Experiences with Massive PKI Deployment and Usage Daniel Kouřil, Michal Procházka Masaryk University & CESNET Security and Protection of Information 2009.
A Framework for Distributed OCSP without Responders Certificate
Digital Certificate Installation & User Guide For Class-2 Certificates.
Installation & User Guide
Configuration management
Configuration management
Digital Certificate Installation & User Guide For Class-2 Certificates.
Digital Certificate Installation & User Guide For Class-2 Certificates.
PKE PP Mike Henry Jean Petty Entrust CygnaCom Santosh Chokhani.
Planning a Public Key Infrastructure
RPKI Certificate Policy Stephen Kent, Derrick Kong, Ronald Watro, Karen Seo July 21, 2010.
Csci5233 Computer Security1 Bishop: Chapter 10 (Cont.) Key Management: Certificates.
Deploying and Managing Active Directory Certificate Services
Geneva, Switzerland, 2 June 2014 Introduction to public-key infrastructure (PKI) Erik Andersen, Q.11 Rapporteur, ITU-T Study Group 17 ITU Workshop.
Identity Standards (Federal Bridge Certification Authority – Certificate Lifecycle) Oct,
Chapter 9 Deploying IIS and Active Directory Certificate Services
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
DESIGNING A PUBLIC KEY INFRASTRUCTURE
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
PKIs  To use public key methods, an organization must establish a comprehensive Public Key Infrastructure (PKI) A PKI automates most aspects of using.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Chapter 11: Active Directory Certificate Services
November 1, 2006Sarah Wahl / Graduate Student UCCS1 Public Key Infrastructure By Sarah Wahl.
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006 draft-ietf-sidr-res-certs-01 Geoff Huston Rob Loomans George Michaelson.
CS526 – Advanced Internet And Web Systems Semester Project Public Key Infrastructure (PKI) By Samatha Sudarshanam.
Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Patch Management Module 13. Module You Are Here VMware vSphere 4.1: Install, Configure, Manage – Revision A Operations vSphere Environment Introduction.
MOCA : Mobile Certificate Authority for Wireless Ad Hoc Networks The 2nd Annual PKI Research Workshop (PKI 2003) Seung Yi, Robin Kravets September. 25,
11 CERTIFICATE SERVICES AND SECURE AUTHENTICATION Chapter 10.
Configuring Active Directory Certificate Services Lesson 13.
Database Key Management CSCI 5857: Encoding and Encryption.
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Key Management Lifecycle. Cryptographic key management encompasses the entire lifecycle of cryptographic keys and other keying material. Basic key management.
NUAGA May 22,  IT Specialist, Utah Department of Technology Services (DTS)  Assigned to Department of Alcoholic Beverage Control  PCI Professional.
Information Systems Security Computer System Life Cycle Security.
© 2010 VMware Inc. All rights reserved Patch Management Module 13.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)
Practices in Security Bruhadeshwar Bezawada. Key Management Set of techniques and procedures supporting the establishment and maintenance of keying relationships.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian.
Configuration Management (CM)
Configuring Directory Certificate Services Lesson 13.
Cryptography Chapter 14. Learning Objectives Understand the basics of algorithms and how they are used in modern cryptography Identify the differences.
Certificate revocation list
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Maintaining Network Health. Active Directory Certificate Services Public Key Infrastructure (PKI) Provides assurance that you are communicating with the.
Public Key Infrastructure (X509 PKI) Presented by : Ali Fanian
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Who’s watching your network The Certificate Authority In a Public Key Infrastructure, the CA component is responsible for issuing certificates. A certificate.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Creating and Managing Digital Certificates Chapter Eleven.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
T EST T OOLS U NIT VI This unit contains the overview of the test tools. Also prerequisites for applying these tools, tools selection and implementation.
MICS Authentication Profile Maintenance & Update Presented for review and discussion to the TAGPMA On 1May09 by Marg Murray.
UGRID CA Self-audit report Sergii Stirenko 21 st EUGRIDPMA Meeting Utrecht 24 January 2011.
کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)
Security in ebXML Messaging
Installation & User Guide
PKI (Public Key Infrastructure)
Presentation transcript:

DYNAMIC VALIDITY PERIOD CALCULATION OF DIGITAL CERTIFICATES BASED ON AGGREGATED SECURITY ASSESSMENT By Alexander Beck Jens Graupmann Frank Ortmeier

Motivation Digital certificates are being widely used. Digital Certificates also has a validity period after which it expires. So for creating a fault tolerant system where no problem arises due to the expiration of the digital certificates, we should be able to assess the optimal time for which a digital certificate should be active. Here the authors discuss on how to identify the optimal validity period and factors to be considered to calculate it.

Introduction Digital certificates are an important component for cryptographic protection of IT infrastructures in large companies A common property of digital certificates is their predefined validity period. The algorithms that are used at the time of creation of certificate may be broken before the expiry of the certificate.

Choosing the right crypto period The security level of IT systems should always be in relation to their actual threat. The current threat is not only the system vulnerabilities but also, on the interest in the system for unauthorized persons. The lifetime of an issuing certificate should never end before the lifetime of an issued certificate. Certificates will not be replaced before their expiry.

Vulnerability of IT-systems Manual Security Assessment General Security Audit: ◦ A documented status of the detection of defects and security vulnerabilities. IT System Audit: Aspects of ◦ Software versions (authorization (roles & permissions) and passwords) ◦ Safety related configuration

Vulnerability of IT-systems Manual Security Assessment Vulnerability Scanning: In the aspects of ◦ Installed operating system and Software ◦ Open ports ◦ Used services Penetration test: ◦ A penetration tester tries with appropriate programs or methods to penetrate a system and exploit vulnerabilities that were identified

Vulnerability of IT-systems Automated Security Assessment These automated calculation of system vulnerabilities are based on Configuration Management Database (CMDB) It includes the hardware and software including their exact versions and patch levels.

Vulnerability of IT-systems Automated Security Assessment

Conditions The calculation formula has to fulfill the following conditions: ◦ The resulting value must lie in the interval [0; 1] (1 means system is completely safe) ◦ The aggregated value must be less than or equal to the smallest single value.

Key length & algorithm The longer the key length is, the longer the life time of a certificate can be chosen. Different algorithms and key lengths are compared and stored in the data base. This information needs to be verified and updated on a regular basis. The combination of algorithm and key length must be assessed with a value between 0 and 1 with respect to safety. ◦ 0 – implies the algorithm is known to be broken ◦ 1- considers to be safe for a long time.

Revocation Status The revocation status can be checked using an Online Certificate Status Protocol(OCSP) service or (CRL) certificate-revocation-list. OCSP provides more timely information regarding the revocation status is has to be rated in comparison to CRLs in the context of calculation This factor can be quantified trivially: ◦ usage of an OCSP service: 1 ◦ usage of CRL: 0.75 ◦ no revocation checking: 0.5

Key storage of CA certificate and length of certificate chain Usually certificates are not issued by Root CA, but by a Sub-CA. Depending on the size and structure of the PKI – operating company the path length from the root CA to the sub- CA can differ. The safety level of a Sub- CA is lower than that of each higher level. For this reason, the path length will be considered and one possible calculation is 1/ path length.

Certificate Distribution Delivery : Automatic ◦ Automated methods (SCEP, CMP) in which the certificate using resource generates the keys itself and issues a certificate request. Delivery : Manual ◦ The manual delivery of a particular certificate including the private key with in a container via e- mail is critical.

Aggregation

Aggregation The security Risk Assessment uses the factors described above to perform the computation of an optimal certificate lifetime. The following condition must be met for the calculated runtime:

CLM- Architecture with Security Risk Assessment

Conclusion In this paper, an approach is presented to dynamically compute a proper certificate lifetime based on generally accepted factors and current security ratings. It was shown how this dynamic calculation can be embedded into a certificate life-cycle management system.

THANK YOU

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.